• World CyberCon India
Firewall Daily Hacks

Hacker Hides Malware in Image Taken by James Webb Telescope

Due to the techniques used by the hacker, the AV execution and related workings of the malware were difficult to detect and analyze.

Hacker Hides Malware in Image Taken by James Webb Telescope
  • PublishedSeptember 3, 2022

Hackers misused an image taken by the James Webb Space Telescope by hiding malicious software in it. According to reports, the image was combined with obfuscated Golang programming language ‘payloads’ and used to execute a malware attack.

The hackers began by sending an email with an infected Microsoft Office attachment, ‘Geos-Rates.docx’. The document in the email had a malicious template file and came with external references hidden in its metadata. It then downloaded the malicious template with the URL ‘hxxp://www.xmlschemeformat.com/update/2021/office/form.dotm’.

How does the malicious file work?

Whenever a user opened the document, the malicious template file that looked like an Office macro with a VB script would automatically download and be saved on the system. The template would then start executing the code for the attack after the user enabled macros. Following this, the malicious VBA macro code auto-executed itself.

After processing the files, a file named ‘OxB36F8GEEC634.jpg’ was downloaded to the system and would then use ‘certutil.exe’ to decode it to a binary and then the attack was executed.

Users duped by using the James Webb telescope image

Upon investigating, it was ascertained that the image displayed in the .jpg format contained malicious Base64 code. The visual of the image convinced the user of its authenticity. However, the malicious find bypassed all the antivirus tools in the system as the Base64 code would get translated into Golang — open-source programming language– binary file.

Due to the obfuscation techniques, the AV execution and related workings of the malware were difficult to detect and analyze. Moreover, the hackers managed to maintain persistence in the file execution by using an implant binary into the Windows registry ‘Run’ key.

Deemed as the world’s premier space science observatory, the James Webb Space Telescope is the largest optical telescope launched in space. It was launched on 25 December, 2021 and the first image taken by the telescope was made public on 11 July, 2022.  The deep field image caught the attention of many as it showed the deepest and sharpest view of the universe ever captured, using near-infrared view.

Written By
Editorial

The Cyber Express is a publication that aims to provide the latest news and analysis about the information security industry. The news comes from a variety of sources and is updated regularly so that readers can stay up to date with the latest happenings in this rapidly growing field.